Upgrading a Distributed Deployment

When upgrading to Cisco ISE, Release 1.2, first upgrade the
secondary Administration node to Release 1.2. For example, if you have a
deployment set up as shown in Figure 2, with one primary Administration node
(Node A), one secondary Administration node (Node B), one Inline Posture node
(IPN) (Node C), and four Policy Service nodes (PSNs) (Node D, Node E, Node F,
and Node G), one primary Monitoring node ( Node H), and one secondary
Monitoring node (Node I), you can proceed with the following upgrade procedure.

Note

You do not have
to manually deregister the node before an upgrade. Use the
application
upgrade command to upgrade nodes to Release 1.2. The upgrade process
deregisters the node automatically and moves it to the new deployment. If you
manually deregister the node before an upgrade, ensure that you have the
license file for the Primary Administration node before beginning the upgrade
process. If you do not have the file on hand (if your license was installed by
a Cisco partner vendor, for example), contact the Cisco Technical Assistance
Center for assistance.

Before You Begin

If you do not
have a secondary Administration node in the deployment, configure one Policy
Service node to be the secondary Administration node before beginning the
upgrade process.

Perform an on-demand backup
(manually) of the configuration and ADE-OS data from the primary Administration
node.

Perform an on-demand backup
of the Monitoring data.

Record the IPN
configuration before the upgrade, so that you can reconfigure the IPN after the
upgrade. You can do this by manually noting the configuration details or taking
screen shots of the existing configuration from the IPN user interface.

When you upgrade a complete
Cisco ISE deployment, Domain Name System (DNS) server resolution (both forward
and reverse lookups) is mandatory; otherwise, the upgrade fails.

Procedure

Step 1

Upgrade the secondary
Administration node (Node B) from the CLI.

The upgrade process
automatically deregisters Node B from the deployment and upgrades it to Release
1.2. Node B becomes the primary node of the new deployment when it restarts.
Because each deployment requires at least one Monitoring node, the upgrade
process enables the Monitoring persona on Node B even if it was not enabled on
this node in the old deployment. If the Policy Service persona was enabled on
Node B in the old deployment, this configuration is retained after upgrading to
the new deployment.

Step 2

Upgrade one of
your Monitoring nodes (Node H) to the new deployment.

We recommend
that you upgrade your primary Monitoring node before the secondary Monitoring
node (this is not possible if your primary Administration node in the old
deployment functions as your primary Monitoring node as well). Your primary
Monitoring node starts to collect the logs from the new deployment and you can
view the details from the primary Administration node dashboard.

If you have
only one Monitoring node in your old deployment, before you upgrade it, ensure
that you enable the Monitoring persona on Node A, which is the primary
Administration node in the old deployment. Node persona changes result in a
Cisco ISE application restart. Wait for Node A to come up before you proceed.
Upgrading the Monitoring node to the new deployment takes longer than the other
nodes because operational data has to be moved to the new deployment.

If Node B, the
primary Administration node in the new deployment, did not have the Monitoring
persona enabled in the old deployment, disable the Monitoring persona on it.
Node persona changes result in a Cisco ISE application restart. Wait for the
primary Administration node to come up before you proceed.

Step 3

Upgrade the Policy Service
nodes (Nodes D, E, F, and G) to Cisco ISE, Release 1.2, from the CLI. You can
upgrade several PSN nodes in parallel, but if you upgrade all the PSNs
concurrently, your network will experience a downtime.

After the
upgrade, the PSNs are registered with the primary node of the new deployment
(Node B), and the data from the primary node (Node B) is replicated to all the
PSNs. The PSNs retain their personas, node group information, and profiling
probe configurations.

Register the IPN node (Node
C) to the primary Administration node (node B) of the new deployment.

Step 8

If you have a
second Monitoring node (Node I) in your old deployment, you must do the
following:

Enable the
Monitoring persona on Node A, which is the primary node in your old deployment.

A
deployment requires at least one Monitoring node. Before you upgrade the second
Monitoring node from the old deployment, enable this persona on the primary
node itself. Node persona changes result in a Cisco ISE application restart.
Wait for the primary ISE node to come up again.

Upgrade
the secondary Monitoring node (Node I) from the old deployment to the new
deployment.

Except for the
primary Administration node (Node A), you must have upgraded all the other
nodes to the new deployment.

This node will be upgraded
to Release 1.2 and added to the new deployment as a secondary Administration
node. You can promote the secondary Administration node (Node A) to be the
primary node in the new deployment. If you want to retain Node B as your
primary node, you must obtain a license that includes the UDI of both the
primary and secondary Administration nodes.

After the
upgrade is complete, if the Monitoring nodes that were upgraded to Release 1.2
contain old logs, ensure that you run the
application configure
ise command and choose 11 (Refresh M&T Database Statistics)
on the Monitoring nodes.

After upgrade,
your new deployment will be similar to the one shown in the figure below:

Figure 2. Complete
Deployment Upgraded to Release 1.2

CLI
Transcripts of Successful Upgrades

Here is an example
CLI transcript of a successful secondary Administration node upgrade.

Upgrading Inline Posture Nodes in a Distributed Deployment

You cannot directly upgrade Inline Posture nodes to Cisco ISE, Release 1.2. You must reimage the Cisco ISE 3300 Series appliance and install the ISE-IPN 1.2 ISO on it. This section describes the procedure to upgrade IPN nodes to Release 1.2.

Before You Begin

Ensure that you have the ISE-IPN 1.2 ISO image.

If you have an IPN high-availability pair in your deployment, cancel the high-availability pair before you deregister the IPN nodes from the Cisco ISE, Release 1.1.x, deployment.

Record all configuration data for the IPN node before you deregister the node. Alternatively, you can save screen shots of each of the IPN tabs (from the primary administrative user interface) to record the data. Having this data on hand, speeds up the process of reregistering the IPN node.

Procedure

Step 1

Deregister the IPN node from the primary Administration node.

You can verify that the IPN node has returned to Cisco ISE node status by going to the CLI and entering the following command: show application status ise. If you discover that the node has not reverted, then you can enter the following at the command prompt: pep switch outof-pep. However, it is recommended that you only do this as a last resort.

Upgrading an Active-Standby Pair of IPN Nodes in a Distributed Deployment

To upgrade an active-standby pair of Inline Posture nodes to Release 1.2, you must first cancel the high-availability pair and then reimage and install the ISE-IPN 1.2 ISO image on the nodes.

Procedure

Step 1

Log in to the primary Administration node.

Step 2

Cancel the active-standby high-availability pair.

Choose Administration > System > Deployment.

Check the check box next to the active IPEP node and click Edit.

Click the Failover tab.

Uncheck the HA Enabled check box.

Click Save.

Step 3

Click Save.

Step 4

Deregister the IPN nodes from the primary Administration node.

You can verify that the IPN node has returned to Cisco ISE node status by going to the CLI and entering the following command: show application status ise. If you discover that the node has not reverted, then you can enter the following at the command prompt: pep switch outof-pep. However, it is recommended that you only do this as a last resort.

Configuring Certificates for Inline Posture Nodes

After you have installed the ISE-IPN 1.2 ISO image on any of the supported appliance platforms and run the setup program, you must configure certificates for Inline Posture nodes before you can add them to the deployment.

Before You Begin

The IPN node must be certified from the same CA that has certified the primary Administration node.

You can configure Inline Posture node certificates only from the command-line interface (CLI).

If you wish to deploy an active-standby pair of Inline Posture nodes, you must configure the certificates on both the active and standby Inline Posture nodes.

Procedure

Step 1

Log in to the Inline Posture node through the CLI.

Step 2

Generate a certificate signing request (CSR) for the IPN node.

Step 3

Download the signed certificate in the DER or base64 format, and copy it to an FTP server.

Step 4

Enter the following command from the Inline Posture node CLI:

pep certificate server add

Step 5

Enter y for the application to restart.

Step 6

Enter y to bind the certificate to the last CSR.

Step 7

Enter the name of the CA-signed certificate. The IPN application restarts. You can now register this IPN node with the primary Administration node.

Generating a Certificate Signing Request for an Inline Posture Node

Before you can add an IPN to the Cisco ISE deployment, the IPN must be certified from the same CA that certified the primary Administration node.

Before You Begin

You must log in to the CLI of the IPN.

Procedure

Step 1

Enter the following command:

pep certificate server generatecsr

Step 2

Enter n to use an existing private key file with the CSR or enter y to generate a new one.

Step 3

Enter the desired key size.

Step 4

Enter the type of digest that you want to sign the certificate with.

Step 5

Enter a country code (2 letter code).

Step 6

Enter state, city, organization, and organizational unit values.

Step 7

Enter a Common Name. A Common Name is the same as your hostname. You must enter the fully qualified domain name (FQDN). For example, if your hostname is IPEP1 and your DNS domain name is cisco.com, you must enter IPEP1.cisco.com as your Common Name.

Step 8

Enter your e-mail address.

Step 9

Copy the entire block of text including the blank line after the END CERTIFICATE REQUEST tag (to include the carriage return).

Step 10

Send the CSR to the CA that signed the primary Administration node’s certificate.

If you are using the Microsoft CA, choose Web Server as the Certificate Template while sending the signing request.

Note

For IPN nodes, only server authentication is supported in Release 1.2. If you use other CAs to sign the certificate, ensure that the extended key usage specifies server authentication alone.

You will receive the signed certificate from the CA.

What to Do Next

Download the signed certificate in DER or base64 format and copy it to an FTP server.

Copying a Signed Certificate to an FTP Server

Before You Begin

You must generate a certificate signing request (CSR) for the Inline Posture node and send it to the CA.

Procedure

Step 1

Enter the following command from the Inline Posture node CLI:

copy ftp:// a.b.c.d/ipep1.cer disk:

a.b.c.d is the ip address of the FTP server and ipep1.cer is the CA-signed certificate that you are adding to the IPN node.

Step 2

Enter the username and password for the FTP server.

What to Do Next

Add the signed certificate to the Inline Posture node.

Replacing Old Appliances with ISE 3400 Series Appliances

This section describes how you can replace your existing old appliances with the Cisco ISE 3400 Series appliances.

Replacing Some Existing Nodes with Appliances Running Release 1.2

This section describes what you should do if you want to replace some of the Cisco ISE 1.1.x nodes, with new Cisco ISE, Release 1.2, appliances while upgrading to Release 1.2. You can configure only the Administration and Monitoring nodes with primary and secondary roles for high availability. The Policy Service nodes can be grouped together for load balancing and failover purposes.

Before You Begin

If you are replacing some of the appliances with new SNS-3400 Series appliances, obtain a license with the UDI of the new SNS-3400 Series appliances that you are going to configure as the primary and secondary Administration nodes.

Procedure

Step 1

Upgrade the existing secondary Administration node to Release 1.2.

This node automatically deregisters itself from the old deployment and becomes the primary Administration node in the new deployment.

Step 2

Upgrade the Monitoring, Policy Service, Inline Posture, and primary Administration nodes to the new deployment as described in the Upgrading Nodes in a Distributed Deployment section.

Promote one of the new SNS-3400 Series appliances to be the new primary Administration ISE node. Install the license that you have obtained with the UDI of the new appliance.

Replacing All Nodes with Appliances Running Release 1.2

This section describes what you should do if you want to replace all the Cisco ISE, Release 1.1.x, nodes with new SNS-3400 Series appliances while upgrading to Release 1.2. You can configure only the Administration and Monitoring nodes with primary and secondary roles for high availability. The Policy Service nodes can be grouped together for load balancing and failover purposes.

Before You Begin

Obtain a license with the UDI of the new SNS-3400 Series appliances that you are going to configure as the primary and secondary Administration nodes.

Procedure

Step 1

Perform a backup of the Cisco ISE configuration and monitoring data.

Step 2

Perform a fresh installation and configure one of the new SNS-3400 Series appliance to be the primary Administration node in the new deployment. Refer to Cisco Identity Services Engine Hardware Installation Guide, Release 1.2, for details.

Step 3

Install the license based on the UDI of the new primary and secondary Administration nodes (SNS-3400 Series appliances) on the primary Administration node in the new deployment.

Step 4

Restore the Cisco ISE configuration on the primary node in the new deployment.

Step 5

On the appliance that you want to designate as the Monitoring node, perform a fresh installation, restore the monitoring backup, and register it with the primary Administration node in the new deployment.

Step 6

Perform a fresh installation and register the other SNS-3400 Series appliances with the primary Administration node in the new deployment and configure them from the primary Administration node user interface. Refer to Cisco Identity Services Engine Hardware Installation Guide, Release 1.2, and Cisco Identity Services Engine User Guide, Release 1.2, for details.